Twitter API & OAuth 101 TVUG October 2009
•Transferir como PPTX, PDF•
4 gostaram•2,354 visualizações
Recomendados
Mais conteúdo relacionado
Semelhante a Twitter API & OAuth 101 TVUG October 2009
Semelhante a Twitter API & OAuth 101 TVUG October 2009 (20)
Mais de Andrew Badera
Último
Último (20)
Twitter API & OAuth 101 TVUG October 2009
- 1. Twitter & OAuth 101 What’s this twit all about? Andy Badera (@andrewbadera) andrew@badera.us http://blog.badera.us/ TVUG October 2009
- 2. Background
- 3. The Numbers 79.7M users as of October 4th (all inclusive; ~50M “official”) $153M in funding as of end of September 28,000+ applications 30,000+ developers $23M+ invested in third party app startups
- 4. Growth April 2008-2009 Via TechCrunch
- 5. APIs REST API Search API Streaming API
- 6. REST API api.twitter.com Returns: XML, JSON, RSS, ATOM Read timelines Send tweets Read/send Direct Messages
- 7. Search API http://search.twitter.com/ Returns: JSON, ATOM Trends Terms (“from:andrewbadera”) Geolocation (“near:albany within:5miles”)
- 8. New Stuff Geolocation (improved) Group Lists Retweet API Address Book Apple Push Search API cleanup
- 9. Fab Four
- 10. Platform Team?
- 12. What’s safe to use? Avoid “Twitter” Avoid bird graphics Avoid similar UI Biz sez: “Use ‘tweet.’”
- 13. Goals Register a new OAuth application Retrieve timelines Send Tweets Send/Receive Direct Messages Query Search API
- 14. .NET & Twitter Expect-100 Continue (HttpWebRequest) Request.ServicePoint.Expect100Continue = false; 302 Redirects if ( response.StatusCode == HttpStatusCode.Redirect ) { this.Url = new Uri( uri, response.Headers["Location"] ).ToString(); this.CookieContainer.Add( response.Cookies ); } 64-bit IDs (ulong - Convert.ToUInt64(“”)) LinqToTwitterhttp://www.codeplex.com/LinqToTwitter Tweetsharphttp://code.google.com/p/tweetsharp/ DotNetOpenAuthhttp://dotnetopenauth.net:8000/
- 15. RateLimit Ratelimit: 150 REST GETs/hour X-RateLimit X-RateLimit-Remaining X-RateLimit Whitelisted: 20000
- 17. In the beginning, HTTP Basic HTTP Basic Authorization Simple Familiar Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
- 18. Basic Auth Pulls a Fail Whale
- 19. Downsides of HTTP Basic Auth Base64(byte[] “username:password”) Giving credentials away to third parties Password change Trust Rate limit by application IP
- 20. O-wot? Secure API authorization Blaine Cook (Twitter) Chris Messina (Ma.gnolia) Currently: OAuth 1.0A OAuth.net Shannon Whitley’s OAuthBase.cs
- 21. How OAuth Works Shared secret Nonce Timestamp
- 22. OAuth & Twitter Moves burden of ratelimit to user account Read/write (typical) Sign-in with Twitter “Guns for cash” – one time auth
- 23. Timelines
- 24. That’s cool, but …
- 27. Technical Parameter sorting Parameter URL encoding Server clock
- 28. Social OAuth is not a panacea! Use common sense!
- 29. OAuth Best Practice “As with OpenID, OAuth is difficult to implement correctly and securely. Pick a good, dependable library to take a dependency on instead.” --Andrew Arnott DotNetOpenAuth Author via email
- 30. Q&A Thanks for your time. Any questions?
- 31. Drinks! JJ Rafferty’s Route 9 North of Latham Traffic Circle on right Next to Price Chopper parking lot Across from Red Robin
- 32. Bibliography Alex Payne slideshare presentation: “Twitter API 2.0”, http://www.slideshare.net/al3x/twitter-api-20 Mashable: “Twitter’s Value: 5 Eye-popping Stats”, http://mashable.com/2009/10/04/twitter-stats/ Biz Stone blog entry: “May the Tweets Be With You” http://blog.twitter.com/2009/07/may-tweets-be-with-you.html
- 33. Resources Twitter API docs http://apiwiki.twitter.com/ Twitter Dev list http://groups.google.com/group/twitter-development-talk API blog http://apiblog.twitter.com/ (not well updated) @andrewbadera (http://twitter.com/andrewbadera) http://blog.badera.us/ andrew@badera.us
Notas do Editor
- Who’s heard of Twitter? Who has at least one account? Who’s been using it longer than a year? Who uses a third-party app like Tweetdeck?
- Brainstorming event while Jack was at Odeo in 2006, started as internal service; really broke out at 2007 SXSW. Working name was “Status,” “twitch” was a suggested production name, but it wasn’t quite right for some people. Twitter was the word below it in the dictionary; “twttr” was the original form used, in the spirit of flickr & such. Jack Dorsey, Chairman, Former CEO, Founder, Evan Williams, CEO, Biz Stone, Creative Director. Union Square Ventures early and major backer. Other investors include
- Some apps have already been acquired by Twitter or third parties for significant sums. (Tweetdeck by Seesmic, Summize by Twitter)
- Well over 1 Billion tweets – the first tweet at or over a billion was written in late 2008 by a bot. Go figure. Over 5000 tweets/minute during Obama’s inauguration; now over 10,000-25,000/minute, or 250+ tweets/second. Hundreds of millions of requests served per day. Personally billing more in Twitter work alone in 2009 than I did in total independent consulting in 2008.
- Three different APIs. Mention XMPP. Mention Starling – Ruby persistent queue using memcached, developed in-house. Backend now runs on Scala (over 2009). Interface still runs on Ruby on Rails. Will be focusing on REST and Search APIs tonight.
- REST API can do everything a user can do, and more.
- Recognizes trends, with and without # hashtag syntax. Allows viewing of historical trends, searches for keywords, updates to or from specific users. Started out as Summize, acquired by Twitter in mid-2008. Is not 100% uniform when compared to main REST API. Will migrate to api.twitter.com. In order to correlate a result from the Search API with an actual user, you need to do a lookup against the main API – painful cost when it comes to ratelimiting.
- api.twitter.com is new. Twitter is also introducing API versioning. (ABOUT TIME!) New lat and long parameters, more accurate “near” searches. GeoRSS and GeoJSON. Address Book – allegedly “secure and spammer-hostile” method to find Twitter users given an email address.
- Alex Payne, platform lead, second engineer hired (after Blaine Cook, former lead, former VP)RaffiKrikorian, platform engineer, Marcel Molina, translator & platform engineer and former Rails core team member, Ryan Sarver, platform engineer.
- Twitter is “uncomfortable” use of the word “Tweet” (letter to unnamedapp developer.) MyTwitterButlerautofollow app -> MyPostButler. At least one other instance. Murky. Twitter unresponsive. Disappointing.
- Biz’s blog entry latersays use “tweet,” and talks about the trademark filing. Too bad, they lost the April 16, 2009 trademark filing. Sam Johnston’s blog entry. Use “tweet,” use “post,” use “chat,” don’t use “Twitter.”
- Twitter chokes on Expect headers – make sure to quash them! (Expect defines certain behavior expectations by client.) 302 spam countermeasure … #fail!
- Response to all REST calls includes:X-RateLimit-Limit the current limit in effectX-RateLimit-Remaining the number of hits remaining before you are rate limitedX-RateLimit-Reset the time the current rate limiting period ends in epoch time.
- Whitelisting: per account or per IP
- Who here is familiar with HTTP Basic Authorization? What does it look like? **mention source param**
- [Post update to Twitter using HTTP Basic Auth.] Well gee, that doesn’t seem that tough, and it works. So what’s wrong with it?
- Putting password on the wire – encoded, not encrypted! SSL solves the problem, but not everyone is/was using https calls, and SSL can be expensive. Ratelimit: 150 REST GET/hour.
- Not an authentication protocol per se, but is evolving into or being used as such. Mention 1.0 clickjacking issue. Mention PIN?
- Shared secret – OAuth access token. Nonce value. Timestamp. Signature hash digest of all parameters, sorted lexicographically.
- [Register new OAuth web app with Twitter. Walkthrough user approval process.]
- [Retrieve public timeline. Retrieve individual timeline. Retrieve friends timeline.]
- OK, pulling that information is nice, but I think what we’re probably all a little more interested in is the messaging aspect. [Send update. Send DM. Retrieve DMs.]
- [Query search API; term, username, near, tags. Mention TweetHook?]